Overview

overview

10

Static

static

Lists.exe

windows7_x64

10

Lists.exe

windows10_x64

10

Resubmissions

25-06-2021 19:00

210625-l7qmjgnpce 10

19-01-2021 19:24

210119-ghpg62s8zx 10

18-01-2021 18:42

210118-qjpbmwpaks 10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-01-2021 19:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Lists.exe

  • Size

    799KB

  • MD5

    c715a5419ed1ece6e2051e35d3674cc3

  • SHA1

    98e8a74c315b42b88e73129108d5ad338c888124

  • SHA256

    c363769d3d6ae833d71203a5a678ad04349404eae3788865fcdb706c3c7543b0

  • SHA512

    1cbec375fff5500f8247c4be30b6aa15de47ab73b7d914036c76b05ca9db6eb89aad21f1d45fe955c068a8df94393d34a1b88c2fc159340b72759c0dfa93983d

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

185.140.53.136:1818

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Lists.exe
    "C:\Users\Admin\AppData\Local\Temp\Lists.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /Create /TN systemfiles64 /XML "C:\Users\Admin\AppData\Local\Temp\1ade0704ac3e4fb2ba15d56f097cccb0.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN systemfiles64 /XML "C:\Users\Admin\AppData\Local\Temp\1ade0704ac3e4fb2ba15d56f097cccb0.xml"
        3⤵
        • Creates scheduled task(s)
        PID:1992
    • C:\Users\Admin\AppData\Local\Temp\Lists.exe
      "C:\Users\Admin\AppData\Local\Temp\Lists.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Users\Admin\AppData\Local\Temp\Lists.exe
        "C:\Users\Admin\AppData\Local\Temp\Lists.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1904
        • C:\Users\Admin\AppData\Local\Temp\Lists.exe
          "C:\Users\Admin\AppData\Local\Temp\Lists.exe"
          4⤵
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1784
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1092
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
              6⤵
                PID:1476

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1ade0704ac3e4fb2ba15d56f097cccb0.xml
      MD5

      88680b78e11695a91d52603085d85164

      SHA1

      c188839c25b275be52a25c30a1b5fe6395afdbea

      SHA256

      1f8daa6e49ee1c9b18c532f488043618dd27e350a62936da18fc98cdaaa8fbc5

      SHA512

      ec53a14c06196bf2cbdf09996816b9af5d2789ea94bb20434206720209a4c38786a10286e07229c4ece2c81683736d6e556511ab2941ac7d50cb0b84769dd7a0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\install.vbs
      MD5

      b92d64fe5b1d1f59df4b738262aea8df

      SHA1

      c8fb1981759c2d9bb2ec91b705985fba5fc7af63

      SHA256

      fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

      SHA512

      2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

      Download Submit
    • memory/1092-12-0x0000000000000000-mapping.dmp
      Download
    • memory/1092-17-0x0000000002550000-0x0000000002554000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1208-3-0x0000000000000000-mapping.dmp
      Download
    • memory/1432-2-0x0000000075BF1000-0x0000000075BF3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1456-4-0x0000000000000000-mapping.dmp
      Download
    • memory/1476-16-0x0000000000000000-mapping.dmp
      Download
    • memory/1784-10-0x0000000000000000-mapping.dmp
      Download
    • memory/1784-15-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/1904-8-0x0000000000000000-mapping.dmp
      Download
    • memory/1992-6-0x0000000000000000-mapping.dmp
      Download